Applying Center for Internet Security ICS Cybersecurity Controls

Power, water and wastewater utilities are critical infrastructure, and require ongoing industrial control system (ICS) cybersecurity risk reduction efforts. Taking a systematic and integrated approach to ICS cybersecurity can help with safe, reliable and efficient operations.

If you’re an Ovation DCS user and will be joining us at this conference, make sure to stay for the optional ICS cybersecurity training session, Applying the CIS Controls in OT Environments on the afternoon of August 2nd. Emerson’s Jaime Foose will provide an overview of the Center for Internet Security’s Critical Security Controls, their applicability to Industrial Control System environments, along with tips and recommendations for deploying these types of solutions in highly sensitive environments.

This training session will start by introducing each of the CIS Controls. Using experience from a recent “never been done before” project that encompassed five coal-fired power plants and one coal mine, the session then covers the benefits, challenges and lessons learned from using the Top 20 Critical Security Controls (CSC).

The original development of the CIS Controls was started by the U.S. National Security Agency (NSA) in 2008 as a project requested by the Department of Defense (DoD). The goal was to prioritize the multiple cybersecurity controls that existed based upon the prevalence of attack methods and frequency. While initially started as a government project, it was quickly opened to the private sector for input and collaboration.

Through a partnership between the NSA, the CIS, and the SANS Institute, a consortium was established to share knowledge and information. As the project progressed, additional members were added to the consortium—expanding to the base of data used to develop the list of controls.

Through this tight collaboration between the public and private sectors, they were able to publish an initial draft in early 2009. The draft was circulated to several hundred IT organizations for evaluation, and more than 50 provided comments on the draft. These comments were then used to provide additional refinements to the document.

The list of controls was found to have significant alignment with the 3,085 real-world attacks experienced by the State Department in FY2009. A project was then launched to implement the controls across the entire State Department’s cyber environment. It achieved great success, as they experienced “more than an 88% reduction” in vulnerability-based risk across 85,000 systems. The State Department’s program became a model for large government and private sector organizations.

CSC 1 through CSC 5 are often referred to as “Foundational Cyber Hygiene,” and are the basic controls that should be deployed to create a strong foundation for any cybersecurity program. According to CIS, several studies have shown that implementation of the first five CIS Controls provides an effective defense against the most common cyber-attacks, ~85% of attacks.